Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.First of all, thanks for this module. We really rely on it.
We've got a site with a complex permissions model: revisioning and Domain Access are already installed, and we're about to install TAC Lite. Even with Module Grants in place, we're getting node_access('view') returning TRUE, even when access to the node page itself is denied. So the file is being served, although its node shows a 403.
Looking into the menu router for "node/%", it turns out that its access callback is _revisioning_view_edit_access_callback(). While I haven't dug into quite how that callback manages to get the three permissions models to work together - especially given that Module Grants really ought to have that access callback - if I load the menu router item in filefield_file_download(), and use its access callback rather than node_access(), then everything works!
I'll attach a patch presently for discussion.
| Comment | File | Size | Author |
|---|---|---|---|
| #2 | filefield-complex-permissions-model-1937282-2.patch | 1.06 KB | victoriachan |
| #1 | filefield-complex-permissions-model-1937282-1.patch | 967 bytes | jp.stacey |
Comments
Comment #1
jp.stacey CreditAttribution: jp.stacey commentedPatch attached. I appreciate this is a complex case, so I'd love feedback.
Comment #2
victoriachan CreditAttribution: victoriachan commentedAdapted the patch for filefield 6.x-3.12